Preserve digests for SNI.

SSL_set_SSL_CTX is normally called for SNI after ClientHello has received and the digest to use for each certificate has been decided. The original ssl->cert contains the negotiated digests and is now copied to the new ssl->cert. PR: 3560 Reviewed-by: Tim Hudson <tjh@openssl.org>
author: Dr. Stephen Henson <steve@openssl.org> 2014-10-10 13:18:09 +0100
committer: Dr. Stephen Henson <steve@openssl.org> 2014-10-10 23:21:14 +0100
commit: 4e05aedbcab7f7f83a887e952ebdcc5d4f2291e4 (patch)
tree: 4011a00435e2042ac0fce8b01731fbbc12afeb28 /ssl/ssl_lib.c
parent: bf3e200eb4bd180169bb2caa8472e1533692fb9f (diff)
1 files changed, 13 insertions, 2 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 82a2c80129..cc094e4106 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2944,15 +2944,26 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl)
 
 SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
 	{
+	CERT *ocert = ssl->cert;
 	if (ssl->ctx == ctx)
 		return ssl->ctx;
 #ifndef OPENSSL_NO_TLSEXT
 	if (ctx == NULL)
 		ctx = ssl->initial_ctx;
 #endif
-	if (ssl->cert != NULL)
-		ssl_cert_free(ssl->cert);
 	ssl->cert = ssl_cert_dup(ctx->cert);
+	if (ocert != NULL)
+		{
+		int i;
+		/* Copy negotiated digests from original */
+		for (i = 0; i < SSL_PKEY_NUM; i++)
+			{
+			CERT_PKEY *cpk = ocert->pkeys + i;
+			CERT_PKEY *rpk = ssl->cert->pkeys + i;
+			rpk->digest = cpk->digest;
+			}
+		ssl_cert_free(ocert);
+		}
 	CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX);
 	if (ssl->ctx != NULL)
 		SSL_CTX_free(ssl->ctx); /* decrement reference count */
author	Dr. Stephen Henson <steve@openssl.org>	2014-10-10 13:18:09 +0100
committer	Dr. Stephen Henson <steve@openssl.org>	2014-10-10 23:21:14 +0100
commit	4e05aedbcab7f7f83a887e952ebdcc5d4f2291e4 (patch)
tree	4011a00435e2042ac0fce8b01731fbbc12afeb28 /ssl/ssl_lib.c
parent	bf3e200eb4bd180169bb2caa8472e1533692fb9f (diff)